Today, the detection of malicious software becomes more challenging as the World Wide Web becomes the preferred distribution system for malware. There exist JavaScript-based malware installers, Web-based robot network (“botnet”) control interfaces (e.g., MPack, IcePack, WebAttacker, Zunker, etc.), and fast-cycling malware Web sites. It can be difficult to source and collect malware samples and there is a larger time delay not only waiting for a customer to reveal that their enterprise is infected, but also in waiting for a virus pattern to be deployed.
With the increase in viruses, worms, spyware, etc., and other types of computer malware, current antivirus and anti-malware software is becoming more aggressive in detecting malicious software. Often, beta patterns or aggressive patterns are used by anti-malware software in an attempt to better detect malware. Beta patterns are typically patterns that are newly written and still under an internal beta test period, while aggressive patterns are patterns that may have a better detection rate but also have a slightly higher positive alarm rate.
Inevitably, though, use of beta and aggressive patterns results in more false positives and increased hardship upon users of client machines and enterprise system administrators. Traditionally, antivirus vendors have responded to the increase in false positives by providing user-configurable options with their antivirus software that dictate what happens when suspicious files are detected. These options are typically: an aggressive level (specific actions will be taken to eliminate or control the malware); a warning level (this option means that warnings are given but the file may not be removed); and a no action level (if a suspicious file is detected no action will be taken but the user will be alerted). Specific actions can be: “Clean,” “Move,” “Delete,” “Quarantine,” and “Warn, but Do Nothing.” Further, most products have different user interfaces and different meanings for these actions.
Unfortunately, and therefore, most computer users, system administrators and other managers of antivirus software do not have sufficient knowledge about what these options mean or the ramifications of the various actions in order to make the right choice. The result is often a reduction in malware detection, burdensome actions occurring on user computers, or too many false positives.
It would be desirable for a technique and system to better reduce false positives in the course of malware detection while still providing a high level of security.